SKILL

Hunting For Living Off The Cloud Techniques

Hunt for adversary abuse of legitimate cloud services for C2, data staging, and exfiltration including abuse of Azure, AWS, GCP services, and SaaS platforms.

Published by @mukul975·0 agent reads / 30d·0 saves·

Hunting For Living Off The Cloud Techniques

When to Use

  • When proactively hunting for indicators of hunting for living off the cloud techniques in the environment
  • After threat intelligence indicates active campaigns using these techniques
  • During incident response to scope compromise related to these techniques
  • When EDR or SIEM alerts trigger on related indicators
  • During periodic security assessments and purple team exercises

Prerequisites

  • EDR platform with process and network telemetry (CrowdStrike, MDE, SentinelOne)
  • SIEM with relevant log data ingested (Splunk, Elastic, Sentinel)
  • Sysmon deployed with comprehensive configuration
  • Windows Security Event Log forwarding enabled
  • Threat intelligence feeds for IOC correlation

Workflow

  1. Formulate Hypothesis: Define a testable hypothesis based on threat intelligence or ATT&CK gap analysis.
  2. Identify Data Sources: Determine which logs and telemetry are needed to validate or refute the hypothesis.
  3. Execute Queries: Run detection queries against SIEM and EDR platforms to collect relevant events.
  4. Analyze Results: Examine query results for anomalies, correlating across multiple data sources.
  5. Validate Findings: Distinguish true positives from false positives through contextual analysis.
  6. Correlate Activity: Link findings to broader attack chains and threat actor TTPs.
  7. Document and Report: Record findings, update detection rules, and recommend response actions.

Key Concepts

ConceptDescription
T1102Web Service
T1567Exfiltration Over Web Service
T1537Transfer Data to Cloud Account

Tools & Systems

ToolPurpose
CrowdStrike FalconEDR telemetry and threat detection
Microsoft Defender for EndpointAdvanced hunting with KQL
Splunk EnterpriseSIEM log analysis with SPL queries
Elastic SecurityDetection rules and investigation timeline
SysmonDetailed Windows event monitoring
VelociraptorEndpoint artifact collection and hunting
Sigma RulesCross-platform detection rule format

Common Scenarios

  1. Scenario 1: C2 over Discord webhooks for command delivery
  2. Scenario 2: Data exfiltration to Telegram bot API
  3. Scenario 3: Malware using Azure Functions for dynamic C2
  4. Scenario 4: Staging stolen data on Google Docs or Notion pages

Output Format

Hunt ID: TH-HUNTIN-[DATE]-[SEQ]
Technique: T1102
Host: [Hostname]
User: [Account context]
Evidence: [Log entries, process trees, network data]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [Containment, investigation, monitoring]

Bundled with this artifact

9 files

Reference files that ship alongside this artifact. Agents pull these in only when the task needs them.

More on the bench

SKILL0

Dependency Audit

Audits project dependencies for security vulnerabilities, license compliance issues, outdated packages, and transitive dependency risk. Use when asked to audit dependencies, review package security, check license compliance, assess dependency health, or produce a vulnerability report. Produces a vulnerability findings table, license compliance matrix, update priority matrix, dependency health score, and 30-day remediation plan.

Mohit Aggarwal
software-engineering+2
0
SKILL0

Isms Audit Expert

Information Security Management System (ISMS) audit expert for ISO 27001 compliance verification, security control assessment, and certification support. Use when the user mentions ISO 27001, ISMS audit, Annex A controls, Statement of Applicability (SOA), gap analysis, nonconformity management, internal audit, surveillance audit, or security certification preparation. Helps review control implementation evidence, document audit findings, classify nonconformities, generate risk-based audit plans, map controls to Annex A requirements, prepare Stage 1 and Stage 2 audit documentation, and support corrective action workflows.

Alireza Rezvani
compliance+2
0
SKILL0

Env Secrets Manager

Manage environment-variable hygiene and secrets safety across local development and production. Practical auditing, drift awareness, rotation readiness. Use when auditing .env files for committed secrets, planning a credential rotation, debugging missing-env-var production incidents, or hardening a new project against secrets leakage.

Alireza Rezvani
software-engineering+2
0